W32/Atak-A

Please follow the instructions for removing worms.

You will also need to edit the following registry entry for each user who ran the virus. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export Range' panel, click 'All', then save your registry as Backup.

Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entry:

HKU\[code number]\Software\Microsoft\Windows NT\
CurrentVersion\Windows\load

and delete any reference to <SYSTEM>\hint.exe.

Close the registry editor.

Editing Win.ini

At the taskbar, click Start|Run and type Sysedit. Bring Win.ini to the front. In the [windows] section, search for a line beginning with 'Run=' and delete any reference to the file hint.exe and its path. Delete only that reference, not any other text.

Reboot your computer.

W32/Atak-A is a worm that arrives in an email with the following characteristics:

Subject lines:
Important Data!
Read the Result!

Message text:
Authorized Researcher Only.

Attached file: <random>.zip

W32/Atak-A harvests email addresses from files on the hard disk.

When first run, W32/Atak-A copies itself to the Windows system folder as hint.exe and sets the following registry entry to ensure it is run at system startup:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
load = <SYSTEM>\hint.exe

W32/Atak-A will also add the following line to the win.ini file to ensure it is run at system startup:

load=C:\WINDOWS\SYSTEM\hint.exe

W32/Atak-A contains the following text inside its code:

-={ 4tt4(k 4g4!n$t N3tSky, B34gl3, MyD00m, L0vG4t3, N4ch!, Bl4st3r }=-